9 Answers
9

It is very difficult to detect sniffers, because they work passively. Some sniffers do generate small amounts of traffic and though, so there are some techniques for detecting them.

Machines cache ARPs (Address Resolution Protocol). Sending a non-broadcast ARP, a machine in promiscuous mode (a network card that makes the card pass all traffic) will cache your ARP address. Then, sending a broadcast ping packet with our IP, but a different MAC address. Only a machine which has our correct MAC address from the sniffed ARP frame will be able to respond to our broadcast ping request. So, if the machine is responding, it must be sniffing.

Most sniffers do some parsing. Sending huge amount of data and pinging the suspect machine before and during the data flooding. If the network card of the suspected machine is in promiscuous mode, it will parse the data and increase the load on it. This way it take some extra time to respond to the ping. This little delay can be used as an indicator of whether a machine is sniffing or not. It could provoke some false positive, if there were some "normal" delays on the network because of high traffic.

The following method is old and not reliable any longer: sending a ping request with the IP address of the suspect machine but not its MAC address. Ideally nobody should see this packet as each network card will reject the ping because it doesn't match its MAC address. If the suspect machine is sniffing it will respond as it does not bother rejecting packets with a different Destination MAC address.

There are some tools which implment these techniques, for example open source tools like Neped and ARP Watch or AntiSniff for Windows, which is a commercial tool.

If you want to prevent sniffing, the best way is to use encryption for any network activity (SSH, https etc.). This way sniffers can read the traffic, but the data won’t make no sense to them.

Packet sniffing is a passive activity, it's generally not possible to tell if someone is sniffing your network. However, in order for someone on an wired, switched LAN to see traffic that's not destined just to or from their IP (or broadcast to the network/subnet) they need to either have access to a monitored/mirrored port that duplicates all traffic, or install a 'tap' on the gateway.

Best defense against sniffing is decent end-to-end encryption, and physical controls on sensitive hardware.

Edit: CPM, Neped, and AntiSniff are now 10-15 years stale... Think Linux kernel <2.2 or Windows NT4. If someone has access to a tap or mirror, it will generally be very difficult to detect. Manipulating ARP or DNS is probably the best bet, but it's far from a sure thing.

CPM, Neped and AntiSniff can be used to detect sniffing.
–
kmarshNov 18 '09 at 13:22

Have a look at 802.1x which can be another layer to protect layer 2 access to your lan. This stop people turning up and just plugging into your network. Reduce physical access to network points/switch cabinets. use end to end encryption. Use layer 3 switches! Assign each port it's own subnet! No arp at all! have a security policy!
–
The Unix JanitorMar 18 '10 at 16:09

Hubs (or really old network setups, like Thinnet/Thicknet) transfer all data across the wire at all times. Anyone plugged in would see every packet on their local segment. If you set your network card to promiscuous mode (read all packets, not just the ones sent directly to you) and run a packet capturing program you can see everything that happens, sniff passwords, etc.

Switches operate like old school network bridges-- they only transfer traffic out a port if it is either
a) broadcast
b) destined for that device

Switches maintain a cache indicating which MAC addresses are on which port (sometimes there will be a hub or switch daisy chained off a port). Switches do not replicate all traffic to all ports.

Higher end switches (for business use) may have special ports (Span or Management) which can be configured to replicate all traffic. IT departments use those ports to monitor traffic (legit sniffing). Detecting unauthorized sniffing should be easy-- go look at the switch and see if anything is plugged into that port.

There is a simple way to detect most sniffers. Put two boxes on the network which are not in DNS and are not used for anything else. Have them periodically ping or otherwise communicate with one another.

Now, monitor your network for any DNS lookups and/or ARP requests for their IPs. Many sniffers will by default look up any addresses they find, and thus any lookup on these devices would be a solid warning.

A clever hacker could turn off these lookups, but many wouldn't think to, and it would definitely slow him down.

Now, if he's smart enough to not enable DNS lookups, and prevents any ARPs for these devices, your task is much more difficult. At this point, you should work under the philosophy that the network is always being sniffed, and enact proactive procedures to prevent any vulnerabilities that would arise under this assumption. Several include:

Off the top of my head I'd watch switch SNMP interface data for interfaces that a host is receiving more data and/or sending less data than average. Look for anything outside of a standard deviation on either and you'll probably find the people most likely to be doing something they shouldn't.

It might not just be sniffers though, might find avid hulu/netflix watchers.

Your switches/router may also have features to watch for and catch people attempting to poison arp tables, that would be a pretty big givaway as well.

Wireshark is a great tool for monitoring network traffic. And it will look up names to match IP addresses, find the manufacturer from a MAC address, etc. Naturally, you can watch it doing these queries and then you know it's running.

Of course, you can turn these things off and then not be detected. And there are other programs designed to intentionally go undetected. So it's just something to consider while trying to answer this question.

The (I believe) only way you can sniff all traffic on a switched LAN is with a 'man in the middle' attack.
You basicly do ARP poisoning, stealing everyone's packets, reading them and sending them to the right computer afterwards.

There are probably multiple tools that can do this, I only know of one:

Ettercap can both perform the Mitm attack and detect one when someone else is doing it.